Ask these questions regarding the goals of the penetration test.
- Is it simply to show that you can break into a computer or device?
- Is denial-of-service considered an in-scope goal?
- Is accessing a particular computer or exfiltrating data part of the goal, or is simply gaining privileged access enough?
- What should be submitted as part of documentation upon the conclusion of the test? Should it include all failed and successful hacking methods, or just the most important hacks? How much detail is needed, every keystroke and mouse-click, or just summary descriptions? Do the hacks need to be captured on video or screenshots?
It’s important that the scope and goals be described in detail, and agreed upon, prior to any penetration testing attempts.
2. Select the proper pen-testing tools
The penetration tester usually has a standard set of hacking tools that they use all the time, but they might have to look for and stock up on different tools depending on the ethical hacking job. For example, if the penetration tester is asked to attack SQL servers and has no relevant experience, they might want to start researching and testing different SQL attack tools.
Most penetration testers start with a Linux OS “distro” that is specialized for penetration testing. Linux distros for hacking come and go over the years, but right now the Kali distro is the one most professional penetration testers prefer. There are thousands of hacking tools, including a bunch of stalwarts that nearly every pen tester uses.
The most important point of any hacking tool, beyond its quality and fit for the job at hand, is to make sure it does not contain malware or other code designed to hack the hacker. The vast majority of hacking tools that you can get on Internet, especially for free, contain malware and undocumented backdoors. You can usually trust the most common and popular hacking tools, like Nmap, but the best pen testers write and use their own tools because they don’t trust anything written by someone else.
3. Discovery: Learn about your pen-test target
Every penetration tester begins their asset hacking (excluding social engineering techniques for this discussion) by learning as much about the pen test targets as they can. They want to know IP addresses, OS platforms, applications, version numbers, patch levels, advertised network ports, users, and anything else that can lead to an exploit. It is a rarity that a pen tester won’t see an obvious potential vulnerability by spending just a few minutes looking at an asset. At the very least, even if they don’t see something obvious, they can use the information learned in discovery for continued analysis and attack tries.
Sign up for CIO Asia eNewsletters.